Citrix Secure Private Access

Route tables to resolve conflicts resulting from same related domains

November 21, 2023

Contributed by:

The application domains feature of the Citrix Secure Private Access service enables customers to make routing decisions that allow related domains of applications to be routed externally or internally through Connector Appliances.

Consider that the customer has configured the same related domains within both a SaaS app and an internal web app. For example, if Okta is the SAML IdP for both Salesforce (SaaS app) and Jira (internal web app), then the admin might configure *.okta.com as a related domain in both apps’ configuration. This leads to a conflict and the end user experiences inconsistent behavior. In this scenario, the admin can define rules to route these applications either externally or internally through the Connector Appliances, as per the requirement.

Application Domains feature also enables admins to configure the Connector Appliances to bypass the customer’s web proxy servers to reach the internal web servers. These bypass policies were previously configured manually by running the NSCLI commands on the Connector Appliance.

How the route table works

The admins can define the route type for the apps as External, Internal, or External via Connector Appliance depending on how they want to define the traffic flow.

External – The traffic flows directly to the internet.
Internal – The traffic flows via the Connector Appliance.
- For a web app, the traffic flows within the data center.
- For a SaaS app, the traffic is routed outside the network through the Connector Appliance.
Internal – bypass proxy - The domain traffic is routed through Citrix CloudConnector Appliances, bypassing the customer’s web proxy configured on the Connector Appliance.
External via Connector - The apps are external but the traffic must flow through the Connector Appliance to the outside network.

Note:

Route entries do not impact the security policies that are configured on the apps.

If admins do not intend to use an entry in the route table or if the corresponding apps are not working as intended, admins can simply disable the entry instead of deleting it.

All Connector Appliances for a particular customer, irrespective of the app type, get the SSO settings. Previously, the SSO setting for a particular app was tied to a resource location.

Main route table

The main route table is accessible from the Secure Private Access tile.

Log on to Citrix Cloud account.
On the Secure Private Access tile, click Manage.
In the navigation pane, click Settings. The Application Domains page appears.

Main route table

The main route table displays the following columns.

FQDN/IP: FQDN or the IP address for which the type of traffic routing is desired to be configured.
Type: App type. Internal, External, or External via Connector as selected when adding the app.

Important:

If there are conflicts, then an alert icon is displayed for the respective row in the table. To resolve the conflict, admins must click the triangular icon and change the app type from the main table.
Resource location: Resource location for routing of type Internal. If a resource location is not allocated, a triangular icon appears in the Resource location column for the respective app. When you hover on the icon, the following message is displayed.

Missing resource location. Ensure that a resource location is associated with this FQDN.
Status: The toggle switch in the Status column can be used to disable the route for a route entry without deleting the app. When the toggle switch is turned OFF, the route entry does not take effect. Also, if FQDNs of exact match exist, admins can select the route to be enabled or disabled.
Comments: Displays comments, if any.
Actions: The edit icon is used to add a resource location or change the type of route entry. The delete icon is used to delete the route.

Add an FQDN to the Application Domains table

Admins can add an FQDN into the Application Domains table and choose the appropriate routing type for it.

Click Add in the Applications Domain page.
Enter the FQDN name and select the appropriate routing type for the FQDN.

Add a route entry

Mini route table

A mini version of the Application Domains table is available to make the routing decisions during app configuration. The mini route table available in the App Connectivity section in the Citrix Secure Private Access service user interface.

To add routes to the mini route table

The steps to add an app in the Citrix Secure Private Access service remain the same as described in the topics Support for software as service apps and Support for Enterprise web apps except for the following two changes:

Complete the following steps:
- Choose a template.
- Enter app details.
- Choose enhanced security details, as applicable.
- Select the single sign-on method, as applicable.
Click App Connectivity. - A mini version of the Application Domains table is available to make the routing decisions during app configuration.
- Domains: The Domains column displays one or more rows for a particular app. The first row displays the actual app URL that the admin has entered while adding the app details. The other rows are all related domains that are entered while adding the app details. If the app URL and the related domains are the same, they are displayed in one row.
One row displays the SAML assertion URL, if SAML SSO is selected.
- Type: Select one of the following options.
  - External – The traffic flows directly to the internet.
  - Internal – The traffic flows via the Connector Appliance and the app is treated as a web app.
    - For a web app, the traffic flows within the data center.
    - For a SaaS app, the traffic is routed outside the network through the Connector Appliance.
  - Internal – bypass proxy - Domain traffic is routed through Citrix Cloud Connector Appliances, bypassing the customer’s web proxy configured on the Connector Appliance.
  - External via Connector – The apps are external but the traffic must flow via the Connector Appliance to the outside network.
- Resource Location: Autopopulated when you select the type Internal for an app. Change it if a different resource location is desired.
- Connector Appliance Status: Autopopulated, along with resource location, when you select the type Internal for an app.

The official version of this content is in English. Some of the Cloud Software Group documentation content is machine translated for your convenience only. Cloud Software Group has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Cloud Software Group product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Cloud Software Group, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Cloud Software Group will not be held responsible for any damage or issues that may arise from using machine-translated content.

Was this helpful

Route tables to resolve conflicts resulting from same related domains

November 21, 2023

Contributed by:

November 21, 2023

Contributed by:

Route tables to resolve conflicts resulting from same related domains

How the route table works

Main route table

Add an FQDN to the Application Domains table

Mini route table

To add routes to the mini route table

In this article